1 / 24

Certification Authorities in LA and links with TAGPMA

Certification Authorities in LA and links with TAGPMA. Vanessa Hamar (ULA) / Jorge Gomes (LIP) vanessa@ula.ve / jorge@lip.pt First Latin American EELA Workshop Mérida , 24.04.2006. Pilot Testbed operation and support.

akio
Download Presentation

Certification Authorities in LA and links with TAGPMA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Certification Authorities in LA and links with TAGPMA Vanessa Hamar (ULA) / Jorge Gomes (LIP) vanessa@ula.ve / jorge@lip.pt First Latin American EELA Workshop Mérida , 24.04.2006

  2. Pilot Testbed operation and support • EELA aims to establish a common interoperable Pilot Grid Testbed between existing resources in Latin America and Europe based on the EGEE middleware framework. The EELA Pilot Testbed supports dissemination activities and application exploitation. • EELA will start with a reduced set of sites that will be expanded as the project evolves. • However the range of users will include all partners and also new users not yet identified. • The grid authentication is the first major deployment issue. Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA

  3. Relationships with other projects EELA will work closely with several international projects: EGEE Use of EGEE Middleware to set-up a pilot e-infrastructure interoperable with EGEE. EELA will setup an LA ROC (Regional Operational Centre) following the EGEE model. The EELA European partners already operate grid infrastructures integrated into EGEE Close collaboration with other projects ALICE/GEANT, EUCHINAGRID, EUMEDGRID, SEE-GRID, … EELA must be interoperable with these projects ! Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA

  4. Authentication • Most grid infrastructures including the ones based on EGEE/LCG middleware use X.509 certificates for authentication. • How does it work: • Each user, system or service must have a certificate that is used for authentication purposes • In order to ensure the identify of each subject (user, system or service) the certificate must be signed by a trusted authority that asserts that the certificate belongs to the subject • These are the so called certification authorities (CAs) that: • Accept certificate requests and verify the subject identity • Signing the successfully verified certificate requests • Revoke certificates when needed • Issue lists of revoked certificates • An X.509 authentication infrastructure is called a PKI (Public Key Infrastructure) Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA

  5. Authentication • In the grid world one single CA usually covers a predefined geographic region or administrative domain: • Large organization • Country • A set of countries (scalability can be an issue) • A common international trust domain for grid computing has been created to join the several existing certification authorities into a single authentication domain and thus enabling sharing of grid resources worldwide. • The International Grid Trust Federation (IGTF) has been created to coordinate and manage this trust domain. Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA

  6. IGTF • The international scientific community is working to deploy computational Grids for the advancement of science and engineering. • The promise of global computational Grids, requires policies and procedures that reliably identify Grid subscribers and resources. • A number of regional and large PKIs have established Policy Management Authorities to manage their individual certification process. • The goal of the IGTF will be to foster harmonization and synchronization of these various PMAs policies to allow for a global trust relationship to be established. • Three PMAs have been created covering 3 world regions: • European Grid PMA (EUgridPMA) • Asia Pacific Grid PMA (APgridPMA) • The Americas Grid PMA (TAGPMA) • The European Grid PMA was the first PMA to be established and was born from the DataGrid Certification Authorities Coordination Group (CACG) that was established by the DataGrid and CrossGrid projects. Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA

  7. IGTF International Grid Trust Federation (Working to Establish Worldwide Trust for Grids) http://www.gridpma.org International Grid Trust Federation Asia Pacific PMA Americas PMA AIST Japan APAC Australia ASGCC Taiwan SDG China IHEP China KISTI Korea Naregi Japan BMG Singapore CMSD India HKU Hong Kong NCHC Taiwan Osaka U. Japan USM Malaysia NorduGrid Nordic countries PolishGrid Poland Russian Datagrid Russia SlovakGrid Slovakia DataGrid-ES Spain UK e-Science United Kingdom BelnetGrid Belgium Grid-PK Pakistan FNAL Grid USA GridCanada Canada DOEGrids USA ArmeSFo Armenia IUCC Israel ASCCG Taiwan SeeGrid Europe RMKI Hungary SWITCH Switzerland DFN Germany RDIG Russia PKIrisGrid Spain LIP CA Portugal CERN CA Switzerland CNRS Grid France CyGrid Cyprus CESNET Czech DutchGrid Netherlands GermanGrid Germany HellasGrid Greece GridIreland Ireland INFN CA Italy Belnet Belgium Grid-PK Pakistan SIGNET Slovenia EstonianGrid Estonia AustrianGrid Austria NIIF/HungarNet Hungary IHEP China BalticGrid Europe TR-Grid Turkey DOEGrids USA GridCanada Canada FNAL USA The list is always growing Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA

  8. EUgridPMA Is a body to establish requirements and best practices for grid identity providers to enable a common trust domain applicable to authentication of end-entities in inter-organisational access to distributed resources. As its main activity the EUGridPMA coordinates a Public Key Infrastructure (PKI) for use with Grid authentication middleware. The EUGridPMA itself does not provide identity assertions, but instead asserts that the certificates issued by the Accredited Authorities meet or exceed the relevant guidelines. Relying Parties Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA

  9. TAGPMA • The Americas PMA (TAGPMA) is a regional PMA created to cover the Americas area from Canada to the tip of Chile. • TAGPMA was created in 2005 and its membership and activities are just starting. • The appearance of potential new CAs in LA supported by the EELA project have been welcomed by TAGPMA • they are providing the needed push to start the charter • This is a situation also welcomed by the EUgridPMA that has already too many members • Members of the TAGPMA which operate a classic PKI based Authentication service, must continue to operate the service under the Classic PKI Authentication Profile that is maintained by the EUGridPMA • For more information see: http://www.tagpma.org/ Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA

  10. Accreditation • For new CAs to be accepted as an IGTF PMA member they have to pass through a rigorous and extensive accreditation process. • The CA policies and operations must be extensively documented in a CP/CPS document. • The CP/CPSs are reviewed by the PMA members. • The CA online repositories are checked by the PMA • The CA managers must attend the PMA face-to-face meetings, present the CA and answer all questions from the other members including other CA managers and relying parties. • The CA must implement all required changes. • This is an iterative process that aims to establish trust. Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA

  11. EELA Authentication • Upon the start of EELA there were no Latin American CAs recognized by IGTF or any of its three PMAs. • For EELA the deployment of a PKI in Latin America recognized by IGTF is fundamental for the deployment of the grid computing pilot testbed and for the project success. • This PKI is a basic requirement for the successful dissemination and extension of the grid technologies into the LA countries. • EELA is setting up a PKI authentication infrastructure: • Compatible with EGEE, LCG, and other EGEE/LCG based projects • Internationally accepted/recognized (IGTF) • That can remain operational beyond the end of the project: • as one of the project outcomes • allowing further future projects in LA and within each country • enabling LA scientific users to share and access resources at global level Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA

  12. EELA and CAs • The IGTF is a recent development. • When the EELA Technical Annex was written the IGTF didn’t yet existed • The EELA strategy had to be adjusted • Short term (for the immediate needs): • Use the existing catchall CA from CNRS (France) • This is a temporary solution • By the end of the year EELA needs a better working solution • Medium term: • Contact IGTF trough EUgridPMA (where some of the project partners are CA representatives) • Ask for the help of the PMAs in the setup and accreditation of the CAs • Establish new CAs in LA: • one per country where possible • one catchall CA for the whole LA region • using the classic CA profile • Obtain accreditation from the TAGPMA Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA

  13. Classic Profile • What is it: • The CA signs and revokes certificates • These are long-term certificates (one year) • The CA has subordinate RAs that just perform the administrative task of checking the subject identity in different organizations or departments • The other possible profile is the SLCS where short lifetime certificates are issued based on other credentials such as kerberos tickets, but this is not yet recognized at the IGTF level. • Advantages: • Is the most known CA profile • A lot of know-how and solutions do exist • Most of the CAs operating today use the classic profile • Is the easiest to support across administrative domains • The profile requirements are stable and controlled by EUgridPMA Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA

  14. Classic Profile • A network of subordinated RAs is necessary to perform the identity verification of the subjects • The RAs will be created at the level of the organizations or at the level of departments: • Operating at university or research centre wide level (more difficult) • Operating at the level of a department or group • The CA can also operate an RA but don’t forget that the physical presence of the subject is required for identityverification • The RAs will be created only upon request, their creation should be user driven. CA Univ A Univ B Univ C Univ D Univ E Univ F Univ G RA RA RA RA RA RA RA RA Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA

  15. Classic profile • How to obtain a certificate: Request A certificate request is performed The user identify is confirmed by the RA The certificate is used as a key to access the grid The certificate is issued by the CA Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA

  16. Why one CA per country • Long term scalability • Latin America is a huge geographic area • Many LA countries are quite large • The potential number of users and end entities is high • Long term sustainability • There is a cost associated with the operation of the CAs • A single large CA would raise the cost and funding issue • Easier to fund • Awareness of local details • Better knowledge of the local law • Better knowledge of the local academic environment • Better coordination and support • Nearest to the end users • Same language • Better understanding of the needs and difficulties • Flexibility • Easier to adapt to new local requirements • Robustness and security • Is a CA fails the implications will be limited to a single country NEEDED FOR LARGE DEPLOYMENT (this is the model recomended by EUgridPMA) Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA

  17. catchall CA • A catchall CA is used to issue certificates to organizations in regions without a specific national CA when: • The national CAs are yet being deployed • There are difficulties to setup a national CA • EELA is setting up a catchall CA for the Latin American region • The CA will be operated by Universidade Federal Fluminense (UFF) in Brazil Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA

  18. Current CNRS RAs • As a short term solution EELA is obtaining certificates for the LA partners from the French CNRS catchall CA • Four RAs have been established: • UFF (Universidade Federal Fluminense) • Instituto de Computação (Vinod Rebello) • UFRJ (Universidade Federal do Rio de Janeiro) • Instituto de Física (Diego Carvalho) • UNAM (Universidad Nacional Autonoma de Mexico) • Instituto de Ciencias Nucleares (Lukas Nellen) • ULA (Universidad de los Andes) • Centro Nacional de Cálculo Científico (Vanessa Hamar) • More will be established as necessary • The use of the CRNS catchall CA is a temporary measure with reduced scalability Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA

  19. EELA Candidate CAs • Argentina • UNLP - Universidad Nacional de La Plata • Javier Diaz <jdiaz@unlp.edu.ar> • Brazil • UFF – Universidade Federal Fluminense • Vinod Rebello <vinod@ic.uff.br> • Chile • REUNA – Red Universitaria Nacional • Juan Carlos Martínez <jcmartin@reuna.cl> • Peru • SENAMHI – Servicio Nacional de Meteorología e Hidrología del Perú • Richard Miguel <rmiguel@senamhi.gob.es> • México • UNAM – Universidad Nacional Autónoma de México • Juan Carlos Guel <cguel@seguridad.unam.mx> • Venezuela • ULA – Universidad de los Andes • Vanessa Hamar <vanessa@ula.ve> Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA

  20. EELA Candidate CAs Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA

  21. Status • EELA has been presented for the first time at the EUgridPMA meeting held in Vienna (Austria) in January: • The EELA project was very well received by both the EUgridPMA and TAGPMA members present at the meeting • The organization of the first TAGPMA face-to-face meeting was agreed to be held in Rio de Janeiro • The deployment work started in January with the focus on the operation procedures and certification practices. • EELA members started to participate in TAGPMA videoconferences. • EELA was officially accepted as a TAGPMA member representing a major relying party • In March the CP/CPSs of the CAs were submitted to the TAGPMA for review. • In March the first TAGPMA face-to-face meeting was organized in Rio de Janeiro with the help of RNP: • During the meeting the EELA CAs being currently deployed were presented and their CP/CPSs discussed. • The CP/CPS were considered of very good quality. Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA

  22. Status • Most EELA CAs are now being actuality deployed which includes: • Customization and deployment of the CA management software • Setup of the required systems and services • CA repository • CA signing station • Full TAGPMA accreditation should be obtained in the next face-to-face meeting to be held in Canada Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA

  23. Authorization • The possession of a certificate does not gives the right of access to any grid resources by itself. • The EELA grid authorization is based on the VO concept. • VOs are basically groups of users that share common or similar interests and that which to share the same resources. • Instead of authorizing users individually site access is allowed on a VO basis enabling better scalability. • The site manager does not need to add individual users • The site manager authorizes entire VOs • The site manager can refuse specific certificate subjects • The management of a VO is a responsibility of the VO itself that designates a VO manager for that purpose. • The VO manager is responsible for allowing or denying access to the VO based on the VO policies. Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA

  24. Future and conclusions • An international federation for authentication in grid computing is already in operation worldwide • The EELA efforts will enable the creation of Latin American certification authorities recognized worldwide • We would like to identify other potential end entities and relying parties interested in the usage of certificates for grid computing in Latin America to: • take further advantage of the authentication infrastructure being deployed • join the EELA grid infrastructure Segundo Taller Latino Americano de Computación Grid – Primer Taller Latino Americano de EELA – Primer Tutorial Latino Americano de EELA

More Related